Cisco Switching/Routing :: 3560 VACL Don't Work At All
Apr 2, 2013
I have switch Cisco 3560 and I would like to filter multicast traffic. Short explanation. This are multicast addresses from provider on VLAN 888 :
I expect that streams from acl Streamfrom888 will be dropped and the rest of streams will be forwarded. Unfortunately traffic from all streams passs through.how to configure VACL or where in my configuration is mistake?
We have over 30 Cisco 3560 switches and over 10 VLANs on our network. In our example, VLAN 10 on switch IP 10.0.20.150 works fine and VLAN 10 on switch IP 10.0.20.24 doesn’t work. The below are both switches show vlan. url....I can’t tell what causes the problem and how to fix it. VLAN 10 on Switch 10.0.20 24 doesn’t work. [code]
Is there a way to configure a VACL capture on 3560-x, we need more than 2 SPAN sessions. Feature navigator indicates that this feature is supported but it seems like it's not implemented in the IOS yet.
I've got a 3560-X that passes POST according to console, but there are issues nonetheless...USB console doesn't work. RJ45 works just fine. No status lights turn on at any point (e.g. syst, xps...). 10g network module is installed with a 10g LRM SFP. All lights on the module are amber. However, it passes according to POST. Switch passes traffic, obeys config, etc. Link lights on RJ45 ports work fine. This was brand new out of the box. Thinking about trying IOS reload..
I´m facing to one issue with VACL. i have a network lan with 10.40.X.X/16 . in this network i have a Production v LAN 10 with 10.40.10.X/24 and i have created one vlan103 for Guest´ user as 10.40.103.X/24
My goals is to restrict the v LAN 103 to reach or access the v LAN 10, better to restrict Guest user access to the production v LAN. So i try to put this script with VACL method, but does n´t work.
Extended IP access list Restriction-Guest 10 permit ip 10.40.103.0 0.0.0.255 any vlan access-map Guest 10 action drop match ip address Restriction-Guest vlan filter Guest vlan-list 10
After that i still able to ping or access to the v LAN 10 form v LAN 103.
i have a catalyst 3750, in this switch i have 3 vlan, i need to secure trafic between vlans but im confused ,should i use ACL or VACL to secure ?which is the best ?if i use ACL to secure and limit ports between vlan, which is the best practice to apply the acl ( on th inside or outside of interface)
I have used stack wise 3750 for a long time. Now,I have a new stack of 3750. Both of them are trunking together. If I have a VACL running in the old stack, do I need also implement in the new one.
Does one can use a Vacl to monitor network traffic on a nexus 3064 much like you can on the 6500s? If so, any performance tradeoffs or caveats to be aware of ?
The last few days I've been exploring options in getting rid of some old routers accross a wan connections. I have a cat 3560 to play with and I thought I would try and use the no switchport command test out routing with switch. I've got some type of route issue and I tried a few things which I thought would fix the issue but had no effect. I'll post the config and a few commands so you can see what the basic setup is.
Here we can see in the arp that it knows about both 10.7.1.2 (PC unable to ping 10.3.3.254) as well as 10.3.3.254 (ASA).I tried adding in a ip route of 10.7.0.0 255.255.0.0 10.3.3.110 as well as 10.3.3.254. Neither produced the results I wanted allowing 10.7.1.2 (PC) to ping the ASA (10.3.3.254). [code]
I have an environment of 3 X 3560G of which I have 1st switch-CORE(f0/10) connecting to the VPN router(CE) interface-f0/0. Remaining 2 Cisco 3560's(Access) are connected to Gi0/1 and Gi0/2 on the 1st switch-CORE via gi0/1 . On all three switches I have created multiple VLANs and assigned ports to these VLAN. The switch to switch connection is trunk allowing all VLANs created on all these 3 switches. Now the issue is how I am going to have all these VLANs routed through single interface on the routeri-e f0/0, as all these subnets will communicating to remote site over VPN. What should be default gateway on the 2 Access switches and the CORE switch, also what static route should be on router to reach all subnets(VLANs) created on these 3 switches.
I have read inter-VLAN routing i-e creating sub interfaces on router but dont want to proceed with that and looking for any other way to have my VLANs talk on all three switches and then are accessible to remote site ove VPN?
I have tried to make policy based routing on Cisco 3560. I use ipservices ios (SW version 12.2.(50)SE3 and SW-IMAGE C3560-IPSERVICESK9-M) For below configuration there is no problem and pbr is working.
“Access-list 100 permit ip host 1.1.1.1 host 2.2.2.2 Access-list 101 permit ip host 1.1.1.1 host 3.3.3.3 Route-map pbr1 permit 10 Match ip address 100 Set ip next-hop verify-availability 1.1.1.2 1 track 11 interface fasthethernet 0/1 ip policy route-map pbr1”
But when i add another sequence to the "pbr1" with another sequence number like that.
“Route-map pbr1 permit 11 Match ip address 101 Set ip next-hop verify-availability 1.1.1.3 1 track 12”
pbr is not working. Switch gives message "PLATFORM_PBR-3-UNSUPPORTTED_RMP:Route-map pbr1 not supported for Policy Based Routing”"ip policy route-map pbr1" command not shown in the running config. And "show ip policy" output is blank.Configuration guide says you have insert many sequence to the route-map with the same name. And also this command is not in the unsupported command list.
I am trying to get my workstation to talk to a workstation on a different sub-net through a Cisco 3560 switch. The switch is running the following IOS version: [code]
My primary network is 172.16.0.0 and I am trying to connect to a device on a 192.168.111.0 sub-net. [code]
What would be the best way to get the two workstations talking via the switch?
I implemented access list on cisco 3560 switch but it never works. I want to block access from network B to Network A and allow from Ato B Network A. 10.0.12.0/24 Network B 10.0.24.0/24
The configuration is interface Vlan1 description Data VLAN
We recently purchased Cisco 3560X Layer3 Switch. We need to perform simple Inter VLAN routing. We have configured VLAN1 (name-server_vlan) and VLAN2 (name- user_vlan). We have also assigned the Ports and IP address to both the VLANs. After assiging this if we plug Laptop A into VLAN1 then it doesnt communicates with Laptop B (btw, Laptop A is able to Ping VLAN2 Gateway ) in VLAN2 but on the other hand Laptop B is able to communicate with Laptop A and ping everything i.e. Gateway of VLAN1.
I have a 2504 WLC connected to a Catalyst 3560 which has multiple vlans and is connected to a 2800 series router. I know the catalyst is L3 but I am needing nat functions to get outside to the internet. From my 2800 series router I am able to ping out to the internet, also I am able to ping the vlan interfaces on the catalyst switch. Problem is from the catalyst switch I can ping the inside and outside address of the 2800 but I cannot get any further then that. I cannot ping the 2800 router gateway. Not sure what I am doing wrong as far as routing.
I am trying to upgrade the IOS in 3560 but I am facing one issue. Its flash is 15MB & available space is 8MB whereas the IOS is of 11MB. How can I upgrade the IOS without upgrading the flash?
We bought a 3560 PoE switch to replace tons of PoE-injectors but when connecting the devices our logs were flooded with
Mar 11 15:09:20.725: %ILPOWER-7-DETECT: Interface Fa0/7: Power Device detected: IEEE PD Mar 11 15:09:20.725: %ILPOWER-5-INVALID_IEEE_CLASS: Interface Fa0/7: has detected invalid IEEE class: 7 device. Power denied Mar 11 15:09:20.968: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to down Mar 11 15:09:20.985: %ILPOWER-7-DETECT: Interface Fa0/7: Power Device detected: IEEE PD Mar 11 15:09:20.985: %ILPOWER-5-INVALID_IEEE_CLASS: Interface Fa0/7: has detected invalid IEEE class: 7 device. Power denied
While the message seems quite clear im wondering if there's any workaround on the problem?
I have a Cisco SW ( 3560 ) with one Trunk link to my router ( 7606 ), Trunk link is fully utilized so i need to add 2nd Trunk.Shall all move some customers from old trunk to 2nd one and create a new subterface for them ?I am think if i can create bundle and add subinterfaces under this bundle ?Add two GE ports to be memeber of this bundle ?
We have a IP-phone system connected to port 1 on a 3560 switch, the phone system tags traffic with dscp. The switch uplink is on port 24. Is this configuration correct:
I have a 3560, which is being used as our core router that I have recently installed. It still has the standard IOS which came with (C3560E-UNIVERSALK9-M) it but I need to implement policy based routing so need to upgrade it and have downloaded c3560-ipservicesk9-mz.122-58.SE2.bin and indeally would like to install it in the morning before people start work.
I have 2 questions, 1, Is the ipservices capable of PBR as I have been reading conflicting reports, in fact my friend who works for Cisco has advised that it is not possible on the 3560.
2, When I do upgrade will there be any current configurations that are not compatible with the new one, I wouldnt image that there would be any but just wanted to make sure as it would be the biggest headache ever if it went wrong.
I have a 3560 POE that will no longer boot and I am not able to load a fresh copy of software onto it. It appears that it has lost all data. When I attempt to TFTP a new IOS, I receive that following error:
Transfer cancelled by remote system
I have tried using dir flash: to see what is contained in the flash directory but I receive the below message:
unable to stat flash/: no such device
I am stuck in rommon mode so when I do switch: dir command, I don't even see flash as being a filesystem. The below list are the only systems registered.
I have issue with 3560 switch QoS configuration . I checked in cisco site about mentioned model QoS configuration.once we mark the frame and map the CoS to DSCP and once it enters into switch and it processes according to LAN QoS configured on interface
we have configured both the commands shape and share.
once it leaves the switch and enters into Edge router and if we do not have configured QoS in router which is normally MQC , how does it process each packet ?Do we need to have end to end QoS configured in LAN ?
I found that when I enabled layer 2 auto QoS in 3560 switch, I need to wait so much time to open a file in network drive. Howerver, when I disable the Qos. It can improve a lot. I have used a sniffer to capture the packet to see. Those default packet is in DSCP 0. Therefore, I think majority packet will drop to queue 4. How can I increase the buffer and threshold in order to improve queue 4 performance.
We have two L3 3560's. One 3560 has an upstream MPLS router. The other 3560 has an upstream backup VPN router. Both of these 3560's are L3 switches with IP routing enabled. I created a PBR on both so that specific traffic routes through the MPLS router, while other traffic routes over the backup VPN router. I'm trying to apply the PBR to the SVI's, on each switch. However, when I do a "sh run", the PBR does not appear under either SVI. I've enabled the SDM Routing template, made sure that ip routing was enabled, and even verified that the IOS has the capability. Not sure what else to check for.
I've a question about QoS classification on Cat3560 From
"When QoS is enabled with the mls qos global configuration command and all other QoS settings are at their defaults, traffic is classified as best effort (the DSCP and QoS value is set to 0) without any policing. No policy maps are configured. The default port trust state on all ports is untrusted."
Now, when mls qos cos override is configured on a port, how is the switch behavior ? From documentation "All the incoming QoS values are assigned the default QoS value configured with this command". However I believe the port state is "untrusted".....so which DSCP values are assigned to them ? Is used a Qos-to-dscp map to derive the QoS label from the (overridden) QoS value also in this scenario ?
All switches are multilayer switches ( 3560) Pc1 and PC2 are running Cisco Soft phones. If we configure SW3 with: int f1/4 mls qos trust dscp.
1)Does the above command require SW3's f1/4 be configured as layer 3 port not layer 2? ( My reasoning is since Sw3 has to get to Ip header to process DSCP values, therefore Sw3'f1/4 should be configured for layer 3 operation.)
2) What if sw3 were not 3560 but layer 2 switch such as old 2900 series. can layer 2 switch be configured with: mls qos trust dscp.? Will layer 2 switch be able to interpret dscp values and perform QOS ? ( My understanding is layer 2 switch should not be able to read dscp values ). I will be posting few more questions on the above scenario.
I upgraded our 3560-48-ps switch from c3560-advipservicesk9-mz.122-35.SE5.bin to c3560-ipservicesk9.mz.122-55.SE4bin and is having issues now.
Since I upgraded to the new IOS our older machines on the network can no longer connect to the domain and is not getting an IP address sh ip dhcp binding and sh ip dhcp conflict does not show any output, however all newer machines on the network received dhcp addresses without any problems and can connect to the network and internet.
For testing purposes I put the old IOS back on the switch and the older machines could connect again and received dhcp addresses.No other changes were made to the config.
I did a comparison on Cisco's website and both IOS's support DHCP. Not sure why the new IOS would not give any output when I ran the commands.older machines : Apollos and NCS (They all have XP service pack 2 with Intel 2.8 processors.)
I have a need to use a 3560 switch to terminate a provider's internet connection, but want to secure it so that it and the vlans connected to it are not wide open. At the same time, I'd like to use stateful packet inspection.
I have IOS 12.2(44)SE2, but IPBASE running on my 3560s. Is there an IOS (perhaps the ADVIPSERVICES of that version?) that allows a 3560 to use the 'ip inspect' command?